I spend a lot of time thinking about these issues, and here are a few simple suggestions to get us started:

Eliminate the use of Social Security Numbers as the primary identifier for our credit history and to financial accounts. Phase the change in over time. When the banks all scream, ask them how they do it in Europe and other regions.

Enforce a shared-costs model for credit card brands. Right now, banks and merchants carry nearly all the financial costs associated with credit card fraud. Although PCI is helping, it doesn’t address the fundamental weaknesses of the current magnetic stripe based system. Having the card brands share in losses will increase their motivation to increase the pace of innovation for card security.

Require banks to extend the window of protection for fraudulent transactions on consumer and business bank accounts. Rather than forcing some series of fraud detection or verification requirements, making them extend the window where consumers and businesses aren’t liable for losses will motivate them to make the structural changes themselves. For example, by requiring transaction confirmation for ACH transfers over a certain amount.

Within the government, require agencies to pay for incident response costs associated with cybercrime at the business unit level, instead of allowing it to be a shared cost borne by IT and security. This will motivate individual units to better prioritize security, since the money will come out of their own budgets instead of being funded by IT, which doesn’t have operational control of business decisions.

Just a few quick ideas to get us started. All of them are focused on changing the economics, leaving the technical and process details to work themselves out.

There are two big gaps that aren’t addressed here:

Critical infrastructure/SCADA: I think this is an area where we will need to require prescriptive controls (air gaps & virtual air gaps) in regulation, with penalties. Since that isn’t a pure economic incentive, I didn’t include it above.

Corporate intellectual property: There isn’t much the government can do here, although companies can adopt the practice of having business units pay for incident response costs (no, I don’t think I’ll live to see that day).

No Related Posts

Comments

Fri, July 16, 2010 2:36pm

hspcd,

Your theory depends on the losses being incurred by the target company, but that’s only a small part of the problem.

Most of the problems regulations are needed to address are those where the successful target of the attack is not the one that suffers the most losses. For example, losing a credit card or SSN. The real losses are born by the person with the SSN, or various banking entities with the CC#, not the exploited company.

The economics thus tell the company to not worry about security, and keep all breaches secret to avoid any reputation damage. The good of the company is not aligned with the good of society.

Thus we use regulations to balance out the economics and make it in the interest of the company to protect the assets.

Without regulations we’d have BP-like spills on a regular basis and the companies would just spend a lot on PR to pretend it wasn’t their fault. Same with the financial system and a host of other areas.

I’ll take my big government. It’s either that, or I let a series of for profit private businesses obsessed with keeping their stock price up controlling everything from the environment, to our health care.

But putting the politics aside, from a purely economic perspective I can’t see how a complete hands-off from the government will result in protections for customers.

As for IP loss, I’m with you. Let any company lose what they want, unless it’s classified information or critical infrastructure in those cases *the company* actually does bear the losses and the economics work themselves out.

By Rich

Fri, July 16, 2010 5:34am

In response to Ivan and Rich. What I think should be done: We continue to speak and consult as security professionals and point out the cost offsets that are had by defending data and ensuring CIA. Companies understand this when the concepts, as you so eloquently state them, are focused sharply on risk avoidance. The process works, albeit slowly as you know, as we all know.

I think getting behind government legislation that grants them more and more control over how private business operate just to speed up the implementation of security measures we’d like to see is the wrong thing to do.

Ivan says: “More security inevitably means more cost and a reduction in return on capital mostly because risk-adjusted RoC is rarely used and even if used generally it does not account for infosec risk.

The question then is, who is supposed to pay for the improvement of the overall security posture?”

You may be right Ivan but, if the US government changes its current course and begins to use policies that promote private sector economic growth and ease up on taxes so companies can retain more of their profits, and exerts less actual control on the companies then we’ll see those businesses with more cash on hand to spend on security and other things they deem necessary. On the other hand, if government continues to tighten its grip, companies will continue to shrink, the economy will continue to contract and you and I will feel the pain as consumers and consultants and employees. It is very, very simple.

Again I say, we should all vote for smaller and less intrusive government, let the wonderful thing called Capitalism work the way it is supposed to, the way it did before government started fiddling with the controls, and we’ll all have plenty of work, plenty of money and companies will - will - do what they have to do to stay competitive, and sometimes that means spending more on security innovation.

By hspcd

Thu, July 15, 2010 10:21am

dear hspcd

I hope you realize that your comment does not provide any contribution to the topic. It is choke full of ideological bias but devoid of any actual proposal for solutions. You are just talking about the things that should not be done and the people that should not be proposing solutions but you do not actually propose anything.

What do you think it <em>should</em> be done? (As opposed to what shouldn’t)

More security inevitably means more cost and a reduction in return on capital mostly because risk-adjusted RoC is rarely used and even if used generally it does not account for infosec risk.

The question then is, who is supposed to pay for the improvement of the overall security posture?

By ivan

Thu, July 15, 2010 9:40am

Tim,

Not all SCADA systems are online, and many of the ones that are can be more isolated without material impact on the business. There are plenty of better options to virtually air gap these systems in ways that still support critical business functions, but don’t have the darn engineer responding to phishing attacks from the same system they use to control their bit of the power grid.

By Rich

Thu, July 15, 2010 9:35am

Ivan,

Great ideas- and I think we are starting to see the earliest edges of this appear as more companies are reporting IT security risks in their filings.

Not many, but there is clearly precedent for what you are proposing.

By Rich

Thu, July 15, 2010 9:32am

hspcd,

Respectfully, your response appears based on pure ideology that “all of x is bad and y is good”, which is something, as a skeptic, that doesn’t work for me.

Separating the role of governments from society on these issues is impossible. Not all regulation is “socialism”, a word that is rarely used in accordance with its actual meaning.

In the real world, when talking about cybersecurity, it is impossible to ignore issues of policy and the role of government. Especially when evaluating the economics. And let’s be honest, it is economics, not technical controls, that can really impact our security.

By Rich

Thu, July 15, 2010 7:19am

After reading this I felt the need to address your comments on Critical Infrastructure/SCADA. First, air gapping is not really possible in today’s environment. Too much information is passed between entities to keep things running for this to be possible. As someone who has to live under the current level of controls (read compliance here), I will tell you that the implementation is not about security, but about compliance. I have seen many cases (including my own) where the compliance department is larger than the security department (or the implementers). Unfortantely, we spend tons of time in my corporation being compliant, NOT secure (and we are not alone.

So, if we are more prescriptive then compliance costs and time will rise, but given the what I’m seeing today the benefit to actual security will be flat or diminished (and the benefit to auditors and compliance would be significant). Granted, compliance compels companies to spend money, but only to be compliant (not secure).

Maybe the government should take a page from their own play book (FISMA), and instead of generating reams of information regarding compliance and still having significant intrusions, hold people accountable for the intrusions. Then when an intrusion occurs, look at their program to determine if and how much they should be fined (and the potential fines would be much much higher). If companies had a model like that regulating them, then more money would be spent on REAL security and not paper pushing activities.

I agree with Ivan, “All stick and no carrot will not work.”

By Tim

Thu, July 15, 2010 7:09am

Rich,
You’re a smart guy and I have enjoyed reading your thoughts on security issues, however, I think that the government needs to keep their hands out of private sector business operations. Your suggestion that government should dictate which parts of a business should be responsible for paying fines, for corrective action and technology is a viewpoint which we need less of in the U.S., not more.

More government interference with business means higher costs of doing business and less control and freedom. That means more cost to the consumer and less freedom. The net result is slower economic growth, and, less freedom.

You should stick to offering your views on security technologies, business challenges to securing their systems and data, and stay far, far away from offering advice on what the government should do unless of course you are recommending that they keep their hands out of our pockets and stop trying to run private businesses and redistribute dollars through legislation.

No amount of Socialist governing will increase the security of your and my information, in fact, the opposite will likely be true in the end. Are the Socialists in Europe more secure? Nah, they aren’t. And our banks here in the United States of America are free to see what the banks in other countries are doing but we don’t need to model our financial and regulatory systems after those in Europe.

Remember when America was the Gold Standard for innovation, justice, liberty and freedom? Leftist policies would have that erased from history. Let’s focus on what our companies can do to be more secure without suggesting government legislative take-over through regulation and without saying “Hey, the Europeans are great! They’re more fair and better than us anyway. Let’s be just like them.”

By hspcd

Wed, July 14, 2010 7:33pm

Require public companies and government organizations (at the very least) to disclose within time lapse “T” the occurrence and nature of any security or privacy incident with an estimated financial impact above “X” dollars and to disclose the way the incident is being or was addressed.

BTW, the NRC and SEC already do this for other types of risk.

Have the FTC (or some other governmental organization) monitor this information and (maybe) provide a risk ranking, then provide financial incentives (tax or other) to organizations that have a good infosec risk standing and track record, penalize those that don’t.

Impose severe penalties to those organizations that fail to comply with the mandate to disclose incidents and their corresponding resolution.

The underlying idea is to prompt organizations to implement effective security practices and to show them off to get a competitive edge.

All stick and no carrot will not work

By ivan

Wed, July 14, 2010 3:05pm

I love a lot of these ideas! Great work here.

A few comments:

“Eliminate the use of Social Security Numbers as the primary identifier for our credit history and to financial accounts”

The problem with SSNs is that they are not used as the primary identifier—only 7 or 8 digits are used—and they are NOT matched with the name of the person. The only things that must match are 8 of the 9 digits unless 2 are swapped (thus, only 7 digits would match exactly). Some of the first name must also match i.e. there must be 3 letters from the first name that match the 7 or 8 SSN digits. The capability of identity-theft abuse with a handful of SSNs allows literally tons of new identities and credit histories to be formed. After about 6 months, these identities are eligible for more advanced transactions, and after 1 year they are available for limit raises and other new forms of credit. Combine this with shell companies and other white collar fraud, tax evasion, or money laundering techniques and you have a big, ugly ball of wax.

“Although PCI is helping”

Huh? No, PCI is only helping the credit card companies and issuing banks. It’s not making anything more secure. My favorite story that describes the problem well here is food testing standards. The companies that purchase meat set their own standards for testing controls. One of the more polished places that sells meat all over the country (no, not Walmart, another big chain—but this probably also applies to Walmart) has a huge list of controls: more than any others. However, their meat still lets some tainted meat through the process. How? Because the controls are too prescriptive and broad-reaching. If you compared their long list of controls to the short list of a local grocery that gets less tainted meat—you would notice that the local grocery specifies more detail that leads to less tainted meat specific to their region: with knowledge of local issues that would affect meat in their specific area.

And thus, the difference between compliance and risk management is exactly the same as the major countrywide chain vs. the local grocery. We do need multiple controls (perhaps even a long list), but they need to be tailored. If you are dressing up super models, you don’t hand them XS, SM, M, and L clothing. You don’t even hand them size 0,2,4,6. You tailor their fashion specific to the model’s body. The concept of L1-4 Merchants is retarded. The requirements do not fit the environments that they intend to protect. Even with alternate and compensating controls PCI DSS, COBIT, and even ISO 27k or FISAP miss the fundamental truth of the matter: they are not a good fit for any one organization.

Very few information security leaders want to get rigor around risk management, and this is a major problem in our industry.

“Any other ideas?”

We could really use enforced information sharing. It’s always going to be litigation that is going to force this. Attorney Generals and the FTC need to assemble teams to start external performance accounting (and tie it into internal audit at the worst performing companies) around data breach notification laws. They need to find out who is not reporting and fine them. We need to start rewarding data breach whistleblowers.

Right now most companies do not know about their breaches because most choose not to know. They ignore ransom letters that threaten or prove the potential of a data breach by hitting the `delete’ key in their email. They turn off logging (when they should be turning up logging and centralizing it). They put up walls around auditors and assessors. They take measures to ensure that anyone who has seen a defacement (or other evidence of a breach) is silenced and the evidence destroyed. They grab disks on servers that have been breached—and instead of doing forensics—they scrub the data. These people are classic paper shredders.

Look at the history of what companies have done to vulnerability researchers who disclose application security issues—responsible or not. “That’s not exploitable—it’s just a cosmetic crash! We’re rolling out a new version tomorrow that is totally different than the current code anyways”.

By Andre Gironda

If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.